From 056b2e22880cc71d366c79961bf00861826b3683 Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sat, 28 Mar 2026 10:30:34 -0700 Subject: [PATCH 01/14] Revert "Infra: Remove GitHub Actions from Dependabot configuration (#2267)" This reverts commit cb7f78a25cf6c13a2af7fd295aee31d0560eee39. --- .github/dependabot.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 03235972dd..cbeb1c1617 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -23,8 +23,6 @@ updates: schedule: interval: "weekly" day: "sunday" - cooldown: - default-days: 7 # Maintain dependencies for iceberg - package-ecosystem: "cargo" From 6006db6cda1004aa496c5c21380fd5bac4b0eaa4 Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sat, 28 Mar 2026 10:31:00 -0700 Subject: [PATCH 02/14] add cooldown --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index cbeb1c1617..03235972dd 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -23,6 +23,8 @@ updates: schedule: interval: "weekly" day: "sunday" + cooldown: + default-days: 7 # Maintain dependencies for iceberg - package-ecosystem: "cargo" From db822f7f9bb6a5a8a3833aaebe0ea48f05e769ba Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sat, 28 Mar 2026 10:37:41 -0700 Subject: [PATCH 03/14] autofix --- .github/workflows/audit.yml | 2 ++ .github/workflows/bindings_python_ci.yml | 6 ++++++ .github/workflows/ci.yml | 10 ++++++++++ .github/workflows/ci_typos.yml | 2 ++ .github/workflows/publish.yml | 2 ++ .github/workflows/release_python.yml | 12 ++++++++++-- .github/workflows/release_python_nightly.yml | 4 ++++ .github/workflows/website.yml | 2 ++ 8 files changed, 38 insertions(+), 2 deletions(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index abe0c377c5..f13ca44512 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -45,6 +45,8 @@ jobs: if: github.repository == 'apache/iceberg-rust' steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Setup Rust toolchain uses: ./.github/actions/setup-builder with: diff --git a/.github/workflows/bindings_python_ci.yml b/.github/workflows/bindings_python_ci.yml index efd4a78098..8d99b3734e 100644 --- a/.github/workflows/bindings_python_ci.yml +++ b/.github/workflows/bindings_python_ci.yml @@ -48,6 +48,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Check format working-directory: "bindings/python" run: cargo fmt --all -- --check @@ -59,6 +61,8 @@ jobs: runs-on: ubuntu-slim steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 with: version: "0.9.3" @@ -86,6 +90,8 @@ jobs: - windows-latest steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: actions/setup-python@v6 with: python-version: 3.12 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index af96f9ad66..a3626cde9e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -54,6 +54,8 @@ jobs: - macos-latest steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Setup Rust toolchain uses: ./.github/actions/setup-builder @@ -92,6 +94,8 @@ jobs: - windows-latest steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Setup Rust toolchain uses: ./.github/actions/setup-builder @@ -118,6 +122,8 @@ jobs: - windows-latest steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Setup Rust toolchain uses: ./.github/actions/setup-builder @@ -139,6 +145,8 @@ jobs: name: Tests (${{ matrix.test-suite.name }}) steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Setup Rust toolchain uses: ./.github/actions/setup-builder @@ -183,6 +191,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Install protoc uses: arduino/setup-protoc@v3 with: diff --git a/.github/workflows/ci_typos.yml b/.github/workflows/ci_typos.yml index 8031cd8ca9..900ed8bd07 100644 --- a/.github/workflows/ci_typos.yml +++ b/.github/workflows/ci_typos.yml @@ -44,5 +44,7 @@ jobs: FORCE_COLOR: 1 steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Check typos uses: crate-ci/typos@v1.44.0 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 26f61118b7..60adef8c44 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -47,6 +47,8 @@ jobs: - "crates/integrations/datafusion" steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Get MSRV id: get-msrv diff --git a/.github/workflows/release_python.yml b/.github/workflows/release_python.yml index abf8b52b6d..8c7a753cb7 100644 --- a/.github/workflows/release_python.yml +++ b/.github/workflows/release_python.yml @@ -49,6 +49,8 @@ jobs: steps: - uses: actions/checkout@v6 if: ${{ github.event_name == 'workflow_dispatch' }} + with: + persist-credentials: false - name: Validate release tag format id: validate @@ -115,6 +117,8 @@ jobs: needs: [validate-release-tag] steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Install toml-cli if: ${{ needs.validate-release-tag.outputs.is-rc == 'true' }} @@ -124,11 +128,13 @@ jobs: if: ${{ needs.validate-release-tag.outputs.is-rc == 'true' }} working-directory: "bindings/python" run: | - echo "Setting cargo version to: ${{ needs.validate-release-tag.outputs.cargo-version }}" - toml set Cargo.toml package.version ${{ needs.validate-release-tag.outputs.cargo-version }} > Cargo.toml.tmp + echo "Setting cargo version to: ${NEEDS_VALIDATE_RELEASE_TAG_OUTPUTS_CARGO_VERSION}" + toml set Cargo.toml package.version ${NEEDS_VALIDATE_RELEASE_TAG_OUTPUTS_CARGO_VERSION} > Cargo.toml.tmp # doing this explicitly to avoid issue in Windows where `mv` does not overwrite existing file rm Cargo.toml mv Cargo.toml.tmp Cargo.toml + env: + NEEDS_VALIDATE_RELEASE_TAG_OUTPUTS_CARGO_VERSION: ${{ needs.validate-release-tag.outputs.cargo-version }} - uses: PyO3/maturin-action@v1 with: @@ -159,6 +165,8 @@ jobs: - { os: ubuntu-latest, target: "armv7l" } steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Install toml-cli if: ${{ needs.validate-release-tag.outputs.is-rc == 'true' }} diff --git a/.github/workflows/release_python_nightly.yml b/.github/workflows/release_python_nightly.yml index 595cb42d05..5ef6c69e38 100644 --- a/.github/workflows/release_python_nightly.yml +++ b/.github/workflows/release_python_nightly.yml @@ -41,6 +41,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: ./.github/actions/overwrite-package-version # Overwrite package version with timestamp with: @@ -77,6 +79,8 @@ jobs: - { os: ubuntu-latest, target: "armv7l" } steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: ./.github/actions/overwrite-package-version # Overwrite package version with timestamp with: diff --git a/.github/workflows/website.yml b/.github/workflows/website.yml index 59bd2c6f2c..01da36baf0 100644 --- a/.github/workflows/website.yml +++ b/.github/workflows/website.yml @@ -40,6 +40,8 @@ jobs: contents: write steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Setup mdBook uses: peaceiris/actions-mdbook@v2 From 1cf0f6f25a8a39d78dcd2b4f51d78d92251d1be6 Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sat, 28 Mar 2026 12:59:33 -0700 Subject: [PATCH 04/14] fix zizmor --- .../overwrite-package-version/action.yml | 2 +- .github/workflows/audit.yml | 4 +- .github/workflows/bindings_python_ci.yml | 10 ++-- .github/workflows/ci.yml | 28 +++++----- .github/workflows/ci_typos.yml | 4 +- .github/workflows/publish.yml | 17 +++++- .github/workflows/release_python.yml | 56 ++++++++----------- .github/workflows/release_python_nightly.yml | 18 +++--- .github/workflows/stale.yml | 2 +- .github/workflows/website.yml | 8 +-- 10 files changed, 75 insertions(+), 74 deletions(-) diff --git a/.github/actions/overwrite-package-version/action.yml b/.github/actions/overwrite-package-version/action.yml index 8a2739456e..aed736ecf9 100644 --- a/.github/actions/overwrite-package-version/action.yml +++ b/.github/actions/overwrite-package-version/action.yml @@ -25,7 +25,7 @@ runs: using: "composite" steps: - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.12' diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index f13ca44512..68731cbed3 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -44,13 +44,13 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'apache/iceberg-rust' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Setup Rust toolchain uses: ./.github/actions/setup-builder with: rust-version: stable - - uses: rustsec/audit-check@v2.0.0 + - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0 with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/bindings_python_ci.yml b/.github/workflows/bindings_python_ci.yml index 8d99b3734e..c91c027141 100644 --- a/.github/workflows/bindings_python_ci.yml +++ b/.github/workflows/bindings_python_ci.yml @@ -47,7 +47,7 @@ jobs: check-rust: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Check format @@ -60,7 +60,7 @@ jobs: check-python: runs-on: ubuntu-slim steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 @@ -89,13 +89,13 @@ jobs: - macos-latest - windows-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: 3.12 - - uses: PyO3/maturin-action@v1 + - uses: PyO3/maturin-action@db323e2cf5679b7feb8bcb561a36b27a0bc19e79 # v1 with: working-directory: "bindings/python" command: build diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a3626cde9e..03c13088c6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -53,7 +53,7 @@ jobs: - ubuntu-latest - macos-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false @@ -61,13 +61,13 @@ jobs: uses: ./.github/actions/setup-builder - name: Check License Header - uses: apache/skywalking-eyes/header@v0.8.0 + uses: apache/skywalking-eyes/header@e9f91c35e4d4ae4420f722aa6598c4a13cc69093 # v0.8.0 - name: Check toml format run: make check-toml - name: Install protoc - uses: arduino/setup-protoc@v3 + uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -93,7 +93,7 @@ jobs: - macos-latest - windows-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false @@ -101,10 +101,10 @@ jobs: uses: ./.github/actions/setup-builder - name: Cache Rust artifacts - uses: swatinem/rust-cache@v2 + uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 - name: Install protoc - uses: arduino/setup-protoc@v3 + uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -121,7 +121,7 @@ jobs: - macos-latest - windows-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false @@ -129,7 +129,7 @@ jobs: uses: ./.github/actions/setup-builder - name: Cache Rust artifacts - uses: swatinem/rust-cache@v2 + uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 - name: Build run: cargo build -p iceberg --no-default-features @@ -144,7 +144,7 @@ jobs: - { name: "doc", args: "--doc --all-features --workspace" } name: Tests (${{ matrix.test-suite.name }}) steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false @@ -152,18 +152,18 @@ jobs: uses: ./.github/actions/setup-builder - name: Install protoc - uses: arduino/setup-protoc@v3 + uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Cache Rust artifacts - uses: swatinem/rust-cache@v2 + uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 with: key: ${{ matrix.test-suite.name }} - name: Install cargo-nextest if: matrix.test-suite.name == 'default' - uses: taiki-e/install-action@v2 + uses: taiki-e/install-action@0fde6d128a3d980ceac30be8c8b8739abd963b81 # v2 with: tool: cargo-nextest @@ -190,11 +190,11 @@ jobs: name: Verify MSRV runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Install protoc - uses: arduino/setup-protoc@v3 + uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Get MSRV diff --git a/.github/workflows/ci_typos.yml b/.github/workflows/ci_typos.yml index 900ed8bd07..2c68ca1778 100644 --- a/.github/workflows/ci_typos.yml +++ b/.github/workflows/ci_typos.yml @@ -43,8 +43,8 @@ jobs: env: FORCE_COLOR: 1 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Check typos - uses: crate-ci/typos@v1.44.0 + uses: crate-ci/typos@a8d8e187146634c459c27ade2d3e338569378720 # v1.44.0 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 60adef8c44..300d306042 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -32,6 +32,7 @@ permissions: jobs: publish: runs-on: ubuntu-latest + environment: publish strategy: max-parallel: 1 # Publish package one by one instead of flooding the registry matrix: @@ -46,7 +47,7 @@ jobs: - "crates/catalog/sql" - "crates/integrations/datafusion" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false @@ -63,6 +64,18 @@ jobs: working-directory: ${{ matrix.package }} # Only publish if it's a tag and the tag is not a pre-release if: ${{ startsWith(github.ref, 'refs/tags/') && !contains(github.ref, '-') }} - run: cargo publish --all-features + run: cargo publish --all-features # zizmor: ignore[use-trusted-publishing] env: CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} + + # Trigger Python release after crate publishing completes. + # Only runs for tag pushes; for manual Python releases, use workflow_dispatch on release_python.yml directly. + release-python: + needs: [publish] + if: ${{ startsWith(github.ref, 'refs/tags/') }} + permissions: + contents: read + id-token: write # Required for PyPI trusted publishing in the called workflow + uses: ./.github/workflows/release_python.yml + with: + release_tag: ${{ github.ref_name }} diff --git a/.github/workflows/release_python.yml b/.github/workflows/release_python.yml index 8c7a753cb7..efa324f6d5 100644 --- a/.github/workflows/release_python.yml +++ b/.github/workflows/release_python.yml @@ -18,10 +18,12 @@ name: Publish Python 🐍 distribution 📦 to PyPI on: - workflow_run: - workflows: ["Publish"] # Trigger this workflow after the "publish.yml" workflow completes - types: - - completed + workflow_call: + inputs: + release_tag: + description: 'Release tag (e.g., v0.4.0 or v0.4.0-rc.1)' + required: true + type: string workflow_dispatch: inputs: release_tag: @@ -33,39 +35,23 @@ permissions: contents: read jobs: - check-cargo-publish: - runs-on: ubuntu-latest - # Only run if the triggering workflow succeeded OR if manually triggered - if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }} - steps: - - run: echo 'The Publish workflow passed or was manually triggered' - validate-release-tag: runs-on: ubuntu-latest - needs: [check-cargo-publish] outputs: cargo-version: ${{ steps.validate.outputs.cargo-version }} is-rc: ${{ steps.validate.outputs.is-rc }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 if: ${{ github.event_name == 'workflow_dispatch' }} with: persist-credentials: false - name: Validate release tag format id: validate - # Use input for workflow_dispatch, otherwise use `workflow_run.head_branch` - # Note, `workflow_run.head_branch` does not contain `refs/tags/` prefix, just the tag name, i.e. `v0.4.0` or `v0.4.0-rc.1` # Valid formats: v.. OR v..-rc. env: - DISPATCH_RELEASE_TAG: ${{ github.event.inputs.release_tag }} - RUN_HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }} + RELEASE_TAG: ${{ inputs.release_tag }} run: | - if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then - RELEASE_TAG="$DISPATCH_RELEASE_TAG" - else - RELEASE_TAG="$RUN_HEAD_BRANCH" - fi echo "Validating release tag: $RELEASE_TAG" if [[ ! "$RELEASE_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-rc\.[0-9]+)?$ ]]; then echo "❌ Invalid release tag format: $RELEASE_TAG" @@ -116,7 +102,7 @@ jobs: runs-on: ubuntu-latest needs: [validate-release-tag] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false @@ -129,20 +115,20 @@ jobs: working-directory: "bindings/python" run: | echo "Setting cargo version to: ${NEEDS_VALIDATE_RELEASE_TAG_OUTPUTS_CARGO_VERSION}" - toml set Cargo.toml package.version ${NEEDS_VALIDATE_RELEASE_TAG_OUTPUTS_CARGO_VERSION} > Cargo.toml.tmp + toml set Cargo.toml package.version "${NEEDS_VALIDATE_RELEASE_TAG_OUTPUTS_CARGO_VERSION}" > Cargo.toml.tmp # doing this explicitly to avoid issue in Windows where `mv` does not overwrite existing file rm Cargo.toml mv Cargo.toml.tmp Cargo.toml env: NEEDS_VALIDATE_RELEASE_TAG_OUTPUTS_CARGO_VERSION: ${{ needs.validate-release-tag.outputs.cargo-version }} - - uses: PyO3/maturin-action@v1 + - uses: PyO3/maturin-action@db323e2cf5679b7feb8bcb561a36b27a0bc19e79 # v1 with: working-directory: "bindings/python" command: sdist args: -o dist - name: Upload sdist - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: wheels-sdist path: bindings/python/dist @@ -164,7 +150,7 @@ jobs: } - { os: ubuntu-latest, target: "armv7l" } steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false @@ -175,14 +161,16 @@ jobs: - name: Set cargo version for RC if: ${{ needs.validate-release-tag.outputs.is-rc == 'true' }} working-directory: "bindings/python" + env: + CARGO_VERSION: ${{ needs.validate-release-tag.outputs.cargo-version }} run: | - echo "Setting cargo version to: ${{ needs.validate-release-tag.outputs.cargo-version }}" - toml set Cargo.toml package.version ${{ needs.validate-release-tag.outputs.cargo-version }} > Cargo.toml.tmp + echo "Setting cargo version to: $CARGO_VERSION" + toml set Cargo.toml package.version "$CARGO_VERSION" > Cargo.toml.tmp # doing this explicitly to avoid issue in Windows where `mv` does not overwrite existing file rm Cargo.toml mv Cargo.toml.tmp Cargo.toml - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: 3.12 - name: Get MSRV @@ -193,7 +181,7 @@ jobs: uses: ./.github/actions/setup-builder with: rust-version: ${{ steps.get-msrv.outputs.msrv }} - - uses: PyO3/maturin-action@v1 + - uses: PyO3/maturin-action@db323e2cf5679b7feb8bcb561a36b27a0bc19e79 # v1 with: target: ${{ matrix.target }} manylinux: ${{ matrix.manylinux || 'auto' }} @@ -201,7 +189,7 @@ jobs: command: build args: --release -o dist -i python3.12 # Explicitly set interpreter; manylinux containers have multiple Pythons and maturin may pick an older one - name: Upload wheels - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: wheels-${{ matrix.os }}-${{ matrix.target }} path: bindings/python/dist @@ -220,13 +208,13 @@ jobs: steps: - name: Download all the dists - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: pattern: wheels-* merge-multiple: true path: bindings/python/dist - name: Publish to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: skip-existing: true packages-dir: bindings/python/dist diff --git a/.github/workflows/release_python_nightly.yml b/.github/workflows/release_python_nightly.yml index 5ef6c69e38..c32bfed696 100644 --- a/.github/workflows/release_python_nightly.yml +++ b/.github/workflows/release_python_nightly.yml @@ -40,7 +40,7 @@ jobs: if: github.repository == 'apache/iceberg-rust' # Only run for apache repo runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false @@ -48,14 +48,14 @@ jobs: with: timestamp: ${{ needs.set-version.outputs.TIMESTAMP }} - - uses: PyO3/maturin-action@v1 + - uses: PyO3/maturin-action@db323e2cf5679b7feb8bcb561a36b27a0bc19e79 # v1 with: working-directory: "bindings/python" command: sdist args: -o dist - name: Upload sdist - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: wheels-sdist path: bindings/python/dist @@ -78,7 +78,7 @@ jobs: } - { os: ubuntu-latest, target: "armv7l" } steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false @@ -86,7 +86,7 @@ jobs: with: timestamp: ${{ needs.set-version.outputs.TIMESTAMP }} - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: 3.12 @@ -99,7 +99,7 @@ jobs: with: rust-version: ${{ steps.get-msrv.outputs.msrv }} - - uses: PyO3/maturin-action@v1 + - uses: PyO3/maturin-action@db323e2cf5679b7feb8bcb561a36b27a0bc19e79 # v1 with: target: ${{ matrix.target }} manylinux: ${{ matrix.manylinux || 'auto' }} @@ -108,7 +108,7 @@ jobs: args: --release -o dist -i python3.12 # Explicitly set interpreter; manylinux containers have multiple Pythons and maturin may pick an older one - name: Upload wheels - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: wheels-${{ matrix.os }}-${{ matrix.target }} path: bindings/python/dist @@ -126,7 +126,7 @@ jobs: steps: - name: Download all the dists - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: pattern: wheels-* merge-multiple: true @@ -136,7 +136,7 @@ jobs: - name: Publish to TestPyPI id: publish-testpypi continue-on-error: true - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: repository-url: https://test.pypi.org/legacy/ skip-existing: true diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index e2afce4c71..c3d3f18294 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -32,7 +32,7 @@ jobs: if: github.repository_owner == 'apache' runs-on: ubuntu-24.04 steps: - - uses: actions/stale@v10.2.0 + - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 with: # stale issues stale-issue-label: 'stale,security' diff --git a/.github/workflows/website.yml b/.github/workflows/website.yml index 01da36baf0..52b2171a23 100644 --- a/.github/workflows/website.yml +++ b/.github/workflows/website.yml @@ -39,17 +39,17 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Setup mdBook - uses: peaceiris/actions-mdbook@v2 + uses: peaceiris/actions-mdbook@062dc9e3eab0bad35531417c6bb6c6a7a184764f # v2 with: mdbook-version: "0.4.36" - name: Install protoc - uses: arduino/setup-protoc@v3 + uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} @@ -66,7 +66,7 @@ jobs: cp -r target/doc ./website/book/api - name: Deploy to gh-pages - uses: peaceiris/actions-gh-pages@v4.0.0 + uses: peaceiris/actions-gh-pages@47f197a2200bb9de68ba5f48fad1c088eb1c4a32 # v4.0.0 if: github.event_name == 'push' && github.ref_name == 'main' with: github_token: ${{ secrets.GITHUB_TOKEN }} From 8fe134a3c17dfe61a42cc6ec890c606999d20dba Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sat, 28 Mar 2026 13:03:40 -0700 Subject: [PATCH 05/14] add issue --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 300d306042..d6ba35d9f4 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -64,7 +64,7 @@ jobs: working-directory: ${{ matrix.package }} # Only publish if it's a tag and the tag is not a pre-release if: ${{ startsWith(github.ref, 'refs/tags/') && !contains(github.ref, '-') }} - run: cargo publish --all-features # zizmor: ignore[use-trusted-publishing] + run: cargo publish --all-features # zizmor: ignore[use-trusted-publishing] -- https://github.com/apache/iceberg-rust/issues/1539 env: CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} From 6123e85803c73f1bf31372256bc8bbd83a2619da Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sat, 28 Mar 2026 13:06:12 -0700 Subject: [PATCH 06/14] case sensitive --- .github/workflows/ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 03c13088c6..c46f6732a1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -101,7 +101,7 @@ jobs: uses: ./.github/actions/setup-builder - name: Cache Rust artifacts - uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 + uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 - name: Install protoc uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3 @@ -129,7 +129,7 @@ jobs: uses: ./.github/actions/setup-builder - name: Cache Rust artifacts - uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 + uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 - name: Build run: cargo build -p iceberg --no-default-features @@ -157,7 +157,7 @@ jobs: repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Cache Rust artifacts - uses: Swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 + uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 with: key: ${{ matrix.test-suite.name }} From 798ad2c8f14e54df2405422c1d8fba7131f895b5 Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sat, 28 Mar 2026 13:06:58 -0700 Subject: [PATCH 07/14] ignore pypa for now --- .github/workflows/release_python.yml | 2 +- .github/workflows/release_python_nightly.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release_python.yml b/.github/workflows/release_python.yml index efa324f6d5..1f800a6315 100644 --- a/.github/workflows/release_python.yml +++ b/.github/workflows/release_python.yml @@ -214,7 +214,7 @@ jobs: merge-multiple: true path: bindings/python/dist - name: Publish to PyPI - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 + uses: pypa/gh-action-pypi-publish@release/v1 # zizmor: ignore[unpinned-uses] -- until asf-infra publishes new allowlist with commit hash with: skip-existing: true packages-dir: bindings/python/dist diff --git a/.github/workflows/release_python_nightly.yml b/.github/workflows/release_python_nightly.yml index c32bfed696..ba51413d05 100644 --- a/.github/workflows/release_python_nightly.yml +++ b/.github/workflows/release_python_nightly.yml @@ -136,7 +136,7 @@ jobs: - name: Publish to TestPyPI id: publish-testpypi continue-on-error: true - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 + uses: pypa/gh-action-pypi-publish@release/v1 # zizmor: ignore[unpinned-uses] -- until asf-infra publishes new allowlist with commit hash with: repository-url: https://test.pypi.org/legacy/ skip-existing: true From cd304c9a93cf461f63130eb432656b621051bc78 Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sat, 28 Mar 2026 13:15:02 -0700 Subject: [PATCH 08/14] add zizmor ci --- .github/workflows/zizmor.yml | 43 ++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000000..0045c69d39 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,43 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + permissions: + security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 From 30b992cf859601c1313ec350f815a15d78d34f7c Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sat, 28 Mar 2026 13:47:48 -0700 Subject: [PATCH 09/14] fix sha --- .github/workflows/bindings_python_ci.yml | 2 +- .github/workflows/ci.yml | 8 ++++---- .github/workflows/ci_typos.yml | 2 +- .github/workflows/codeql.yml | 4 ++-- .github/workflows/release_python.yml | 4 ++-- .github/workflows/release_python_nightly.yml | 4 ++-- .github/workflows/website.yml | 4 ++-- .github/workflows/zizmor.yml | 2 +- 8 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/bindings_python_ci.yml b/.github/workflows/bindings_python_ci.yml index c91c027141..244972fdfa 100644 --- a/.github/workflows/bindings_python_ci.yml +++ b/.github/workflows/bindings_python_ci.yml @@ -95,7 +95,7 @@ jobs: - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: 3.12 - - uses: PyO3/maturin-action@db323e2cf5679b7feb8bcb561a36b27a0bc19e79 # v1 + - uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1 with: working-directory: "bindings/python" command: build diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c46f6732a1..5eb12407b4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -61,7 +61,7 @@ jobs: uses: ./.github/actions/setup-builder - name: Check License Header - uses: apache/skywalking-eyes/header@e9f91c35e4d4ae4420f722aa6598c4a13cc69093 # v0.8.0 + uses: apache/skywalking-eyes/header@61275cc80d0798a405cb070f7d3a8aaf7cf2c2c1 # v0.8.0 - name: Check toml format run: make check-toml @@ -101,7 +101,7 @@ jobs: uses: ./.github/actions/setup-builder - name: Cache Rust artifacts - uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 + uses: swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - name: Install protoc uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3 @@ -129,7 +129,7 @@ jobs: uses: ./.github/actions/setup-builder - name: Cache Rust artifacts - uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 + uses: swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - name: Build run: cargo build -p iceberg --no-default-features @@ -157,7 +157,7 @@ jobs: repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Cache Rust artifacts - uses: swatinem/rust-cache@42dc69e1aa15d09112580998cf2ef0119e2e91ae # v2 + uses: swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 with: key: ${{ matrix.test-suite.name }} diff --git a/.github/workflows/ci_typos.yml b/.github/workflows/ci_typos.yml index 2c68ca1778..9373c7295d 100644 --- a/.github/workflows/ci_typos.yml +++ b/.github/workflows/ci_typos.yml @@ -47,4 +47,4 @@ jobs: with: persist-credentials: false - name: Check typos - uses: crate-ci/typos@a8d8e187146634c459c27ade2d3e338569378720 # v1.44.0 + uses: crate-ci/typos@631208b7aac2daa8b707f55e7331f9112b0e062d # v1.44.0 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 75c10c7eaf..81bc6b16f8 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -46,11 +46,11 @@ jobs: persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4 + uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4 with: languages: actions - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4 + uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4 with: category: "/language:actions" diff --git a/.github/workflows/release_python.yml b/.github/workflows/release_python.yml index 1f800a6315..324625c4c2 100644 --- a/.github/workflows/release_python.yml +++ b/.github/workflows/release_python.yml @@ -122,7 +122,7 @@ jobs: env: NEEDS_VALIDATE_RELEASE_TAG_OUTPUTS_CARGO_VERSION: ${{ needs.validate-release-tag.outputs.cargo-version }} - - uses: PyO3/maturin-action@db323e2cf5679b7feb8bcb561a36b27a0bc19e79 # v1 + - uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1 with: working-directory: "bindings/python" command: sdist @@ -181,7 +181,7 @@ jobs: uses: ./.github/actions/setup-builder with: rust-version: ${{ steps.get-msrv.outputs.msrv }} - - uses: PyO3/maturin-action@db323e2cf5679b7feb8bcb561a36b27a0bc19e79 # v1 + - uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1 with: target: ${{ matrix.target }} manylinux: ${{ matrix.manylinux || 'auto' }} diff --git a/.github/workflows/release_python_nightly.yml b/.github/workflows/release_python_nightly.yml index ba51413d05..d816474908 100644 --- a/.github/workflows/release_python_nightly.yml +++ b/.github/workflows/release_python_nightly.yml @@ -48,7 +48,7 @@ jobs: with: timestamp: ${{ needs.set-version.outputs.TIMESTAMP }} - - uses: PyO3/maturin-action@db323e2cf5679b7feb8bcb561a36b27a0bc19e79 # v1 + - uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1 with: working-directory: "bindings/python" command: sdist @@ -99,7 +99,7 @@ jobs: with: rust-version: ${{ steps.get-msrv.outputs.msrv }} - - uses: PyO3/maturin-action@db323e2cf5679b7feb8bcb561a36b27a0bc19e79 # v1 + - uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1 with: target: ${{ matrix.target }} manylinux: ${{ matrix.manylinux || 'auto' }} diff --git a/.github/workflows/website.yml b/.github/workflows/website.yml index 52b2171a23..71fb9503c9 100644 --- a/.github/workflows/website.yml +++ b/.github/workflows/website.yml @@ -44,7 +44,7 @@ jobs: persist-credentials: false - name: Setup mdBook - uses: peaceiris/actions-mdbook@062dc9e3eab0bad35531417c6bb6c6a7a184764f # v2 + uses: peaceiris/actions-mdbook@ee69d230fe19748b7abf22df32acaa93833fad08 # v2 with: mdbook-version: "0.4.36" @@ -66,7 +66,7 @@ jobs: cp -r target/doc ./website/book/api - name: Deploy to gh-pages - uses: peaceiris/actions-gh-pages@47f197a2200bb9de68ba5f48fad1c088eb1c4a32 # v4.0.0 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 if: github.event_name == 'push' && github.ref_name == 'main' with: github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 0045c69d39..663a2a4c94 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -35,7 +35,7 @@ jobs: security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false From 881684c790d85b94ccfca9017c403db21642741c Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sun, 29 Mar 2026 14:05:29 -0700 Subject: [PATCH 10/14] disable advanced-security so ci will error --- .github/workflows/zizmor.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 663a2a4c94..c9e8236802 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -41,3 +41,5 @@ jobs: - name: Run zizmor 🌈 uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 + with: + advanced-security: false From 7362a59f4f042168ffe8f2b678a94e0067ed3212 Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Mon, 30 Mar 2026 08:52:11 -0700 Subject: [PATCH 11/14] copy over --- .github/workflows/zizmor.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index c9e8236802..313835fcbe 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -31,11 +31,10 @@ jobs: zizmor: name: Run zizmor 🌈 runs-on: ubuntu-latest - permissions: - security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + permissions: {} steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false From abc71b55c0dc0fe52373c5c2e402ba548ee36f7f Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Mon, 30 Mar 2026 08:55:07 -0700 Subject: [PATCH 12/14] pypa --- .github/workflows/release_python.yml | 2 +- .github/workflows/release_python_nightly.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release_python.yml b/.github/workflows/release_python.yml index 324625c4c2..d9fcdd406b 100644 --- a/.github/workflows/release_python.yml +++ b/.github/workflows/release_python.yml @@ -214,7 +214,7 @@ jobs: merge-multiple: true path: bindings/python/dist - name: Publish to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 # zizmor: ignore[unpinned-uses] -- until asf-infra publishes new allowlist with commit hash + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: skip-existing: true packages-dir: bindings/python/dist diff --git a/.github/workflows/release_python_nightly.yml b/.github/workflows/release_python_nightly.yml index d816474908..86e589acd6 100644 --- a/.github/workflows/release_python_nightly.yml +++ b/.github/workflows/release_python_nightly.yml @@ -136,7 +136,7 @@ jobs: - name: Publish to TestPyPI id: publish-testpypi continue-on-error: true - uses: pypa/gh-action-pypi-publish@release/v1 # zizmor: ignore[unpinned-uses] -- until asf-infra publishes new allowlist with commit hash + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: repository-url: https://test.pypi.org/legacy/ skip-existing: true From 69ef149d0eb1060044605c0fdf4bc531f8c33842 Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Mon, 30 Mar 2026 08:56:15 -0700 Subject: [PATCH 13/14] version comment --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5eb12407b4..63ee893fa2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -163,7 +163,7 @@ jobs: - name: Install cargo-nextest if: matrix.test-suite.name == 'default' - uses: taiki-e/install-action@0fde6d128a3d980ceac30be8c8b8739abd963b81 # v2 + uses: taiki-e/install-action@0fde6d128a3d980ceac30be8c8b8739abd963b81 # v2.70.0 with: tool: cargo-nextest From 3126ecdfdc8bd7856fab8905a6d9588e7983f41c Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Mon, 30 Mar 2026 19:22:41 -0700 Subject: [PATCH 14/14] inline comment --- .github/workflows/bindings_python_ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/bindings_python_ci.yml b/.github/workflows/bindings_python_ci.yml index 244972fdfa..a7abfcbeed 100644 --- a/.github/workflows/bindings_python_ci.yml +++ b/.github/workflows/bindings_python_ci.yml @@ -63,7 +63,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - - uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 + - uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1 with: version: "0.9.3" enable-cache: true @@ -100,7 +100,7 @@ jobs: working-directory: "bindings/python" command: build args: --out dist -i python3.12 # Explicitly set interpreter; manylinux containers have multiple Pythons and maturin may pick an older one - - uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 + - uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1 with: version: "0.9.3" enable-cache: true